Package: dh-apparmor
Version: 2.10-4
Severity: important
If a package ships an apparmor policy, and it's the first policy on the
system, then it's not getting enabled during postinst configure, causing
the service to fail to start:
} root@sid:~# aa-status
} apparmor module is loaded.
} 0 profiles are loaded.
} 0 profiles are in enforce mode.
} 0 profiles are in complain mode.
} 0 processes have profiles defined.
} 0 processes are in enforce mode.
} 0 processes are in complain mode.
} 0 processes are unconfined but have a profile defined.
} root@sid:~# apt-get install tor
} Reading package lists... Done
} Building dependency tree
} Reading state information... Done
} The following additional packages will be installed:
} tor-geoipdb
} Suggested packages:
} mixmaster torbrowser-launcher socat tor-arm obfsproxy obfs4proxy
} The following NEW packages will be installed:
} tor tor-geoipdb
} 0 upgraded, 2 newly installed, 0 to remove and 46 not upgraded.
} Need to get 0 B/2311 kB of archives.
} After this operation, 8707 kB of additional disk space will be used.
} Do you want to continue? [Y/n]
} Selecting previously unselected package tor.
} (Reading database ... 26574 files and directories currently installed.)
} Preparing to unpack .../tor_0.2.8.2-alpha-1_amd64.deb ...
} Unpacking tor (0.2.8.2-alpha-1) ...
} Selecting previously unselected package tor-geoipdb.
} Preparing to unpack .../tor-geoipdb_0.2.8.2-alpha-1_all.deb ...
} Unpacking tor-geoipdb (0.2.8.2-alpha-1) ...
} Processing triggers for man-db (2.7.5-1) ...
} Processing triggers for systemd (229-4) ...
} Setting up tor (0.2.8.2-alpha-1) ...
} Something or somebody made /var/lib/tor disappear.
} Creating one for you again.
} Something or somebody made /var/log/tor disappear.
} Creating one for you again.
} Setting up tor-geoipdb (0.2.8.2-alpha-1) ...
} Processing triggers for systemd (229-4) ...
} root@sid:~# aa-status
} apparmor module is loaded.
} 0 profiles are loaded.
} 0 profiles are in enforce mode.
} 0 profiles are in complain mode.
} 0 processes have profiles defined.
} 0 processes are in enforce mode.
} 0 processes are in complain mode.
} 0 processes are unconfined but have a profile defined.
the journal has this to say:
| Apr 23 19:53:20 sid systemd[1091]: tor@default.service: Failed at step
APPARMOR spawning /usr/bin/tor: No such file or directory
| Apr 23 19:53:20 sid systemd[1]: tor@default.service: Main process exited,
code=exited, status=231/APPARMOR
Starting works after a reboot or after 'service apparmor restart'.
I think the problem is that, without any policies loaded, aa-status
enabled exits with exit code 2, and thus the postinst doesn't enable the
service:
>From the postinst:
| if aa-status --enabled 2>/dev/null; then
| apparmor_parser -r -T -W "$APP_PROFILE" || true
| fi
This made it work:
--- /var/lib/dpkg/info/tor.postinst 2016-04-23 14:01:01.000000000 +0200
+++ ./tor.postinst 2016-04-23 19:50:17.560787075 +0200
@@ -165,7 +165,9 @@
}
# Reload the profile, including any abstraction updates
- if aa-status --enabled 2>/dev/null; then
+ rc=0
+ aa-status --enabled 2>/dev/null || rc=$?
+ if [ "$rc" = 0 ] || [ "$rc" = 2 ]; then
apparmor_parser -r -T -W "$APP_PROFILE" || true
fi
fi
Please consider this change.
Cheers,
weasel
